CHP Patient Access API Member Educational Resources Regarding Privacy and Security

CHP Medicare Advantage plan and Individual Market members have the right to direct CHP to disclose their claims data, encounter data, and clinical data (collectively “health data”) held by CHP to a designated third-party application (app) through CHP's Patient Access API.

CHP is also required to provide these educational resources, which you may use when making decisions about who you choose to share your health data with.

It is important for you to take an active role in protecting their health information.  Help protect the privacy and security of you data, you should consider:

  • If you direct CHP to share your health data with a third-party app, CHP has no control over how the third-party app will use or share your health data. CHP does not review or evaluate third-party apps or their privacy or security practices for your health data.
  • Some third-party apps may share your health data with other third parties.
  • Health data can be very sensitive, and you should be careful to choose apps with strong privacy and security standards to protect it.
  • Any app you choose to receive your health data should have an easy-to-read privacy policy that clearly explains how the app will use your data. If an app does not have a privacy policy, you should consider not using the app.
  • Before you direct CHP to share your health data with an app, you should read carefully the app’s terms of use (sometimes this information is contained in the app’s “end user license agreement”) and privacy policy to understand how the app will use and share your health data.
  • Below are factors to consider when selecting an app to receive your health data. If an app’s privacy policy does not clearly answer these questions, you should reconsider allowing the app to access your health data.

Factors to consider when selecting a third-party app to receive your health data.

  • What health data will this app collect?   Will this app collect non-health data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose my data to third parties?
    • Will this app sell my data for any reason, such as advertising or research?
    • Will this app share my data for any reason? If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints?
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
    • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
    • How does this app inform users of changes that could affect its privacy practices?

What is the Health Insurance Portability and Accountability Act (HIPAA)?

  • The Health Insurance Portability and Accountability Act (HIPAA) is a federal law. One part of it helps protect personal health information. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.
  • You can find HIPAA FAQs for individuals from HHS here: https://www.hhs.gov/hipaa/for-individuals/faq/index.html

Who must follow HIPAA?

  • Organizations and individuals who must follow HIPAA regulations are called “covered entities,” which can include:
    • Health plans, like health insurance companies, health maintenance organizations (HMOs), company health plans, and certain government programs that pay for health care, like Medicare and Medicaid
    • Many health care doctors and providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, health clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists
    • Health care clearinghouses
  • Additionally, “business associates” who provide certain services for covered entities must follow parts of the HIPAA regulations. Examples of business associates include billing companies, health care claims processors, companies that store or destroy medical records, and those that help administer health plans.
  • Many organizations that have health information about you do not need to follow HIPAA rules. Examples of these organizations may include life insurers, employers, workers compensation carriers, many schools and school districts, many state agencies, many law enforcement agencies, and many municipal offices.
  • You can find more information from HHS about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html.

Are third-party apps required to follow HIPAA rules?

  • Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act.
  • The FTC Act, among other things, protects against deceptive acts, for example, when an app shares personal data without a user’s permission, despite having a privacy policy that says it will not do so.
  • The FTC provides information about mobile app privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps.

HIPAA Privacy Complaints

  • If you think your HIPAA Privacy Rights have been violated, you can contact Member Services phone number or you may contact the CHP’s Privacy Office directly at the address below:

Phone: Member Services 850-383-3311, 1-877-247-6512, TTY 850-383-3534 or 1-877-870-8943, Fax: 850-523-7419, Email: memberservices@chp.org. Medicare members or prospective members call 850-523-7441 or 1-877-247-6512 (TTY 850-383-3534 or 1-877-870-8943) 8:00 a.m. - 8:00 p.m., seven days a week, October 1 - February 14; 8:00 a.m. - 8:00 p.m., Monday - Friday, February 15 - September 30. State of Florida members call 1-877-392-1532, 7:00 a.m. - 8:00 p.m.

Capital Health Plan’s Compliance and Privacy Officer:

2140 Centerville Place 

Tallahassee, Fl 32308

What should you do if you think an app has used your data inappropriately?

Interoperability Language

Patient Access API

As mandated by the U.S. Centers for Medicare & Medicaid Services (CMS), the CHP Patient Access API meets the specification as outlined in the CARIN Consumer Directed Payer Data Exchange (CARIN IG for Blue Button) Implementation Guide and the DaVinci Payer Data Exchange (PDex) US Drug Formulary Implementation Guide and conforms to the technical standard for data exchange via secure API.

CHP has contracted with HealthTrio to manage and support the Patient Access API. Instructions on how to get started are provided by clicking the FHIR API link. Developers should be familiar with HL7 FHIR APIs and have and understanding of how APIs work.

Please note that the mandate requires this information to be publicly available. Should you have questions regarding the HL7 FHIR API standards or requirements, please refer to the CARIN Consumer Directed Payer Data Exchange (CARIN IG for Blue Button) Implementation Guide and DaVinci Payer Data Exchange (PDex) US Drug Formulary Implementation Guide. Should you have questions regarding the CHP FHIR API, please contact HealthTrio by clicking the FHIR API link and following instructions. CHP does not support developer specific questions.

Doctor/Provider Directory API

As mandated by the U.S. Centers for Medicare & Medicaid Services (CMS), the CHP FHIR Directory API meets the specification as outlined in the Da Vinci PDEX Plan-Net Implementation Guide and conforms to the technical standard for data exchange via secure API.

CHP has contracted with HealthTrio to manage and support the Doctor/Provider Directory API. Instructions on how to get started are provided by clicking the FHIR API link. Developers should be familiar with HL7 FHIR APIs and have and understanding of how APIs work.

Please note that the mandate requires this information to be publicly available. Should you have questions regarding the HL7 FHIR API standards or requirements, please refer to the Da Vinci PDEX Plan-Net Implementation Guide. Should you have questions regarding the CHP FHIR API, please contact HealthTrio by clicking the FHIR API link and following instructions. CHP does not support developer specific questions.